On November 2, a group including the American Hospital Association (AHA) filed a federal complaint in Texas against the Biden administration for civil rights regulations that prevent hospitals from selling online health tracking data to Big Tech, insurers, and vendors through third-party trackers.

Since the COVID-19 pandemic, telehealth has exploded in popularity, driving more Americans to seek and receive care through hospital system websites. The Health Insurance Portability and Accountability Act (HIPAA) prevents doctors and clinics from revealing anything about a patient’s health data from their medical chart (electronic medical record). Most patients would be surprised to find out that more than 98 percent of acute care hospitals use third-party tracking to sell data, including searches within a hospital’s website, as well as the ability to track a patient’s physical location to companies like Meta.

Information about one’s personal health is worth a lot of money to those who can sell that information to entities such as medical services providers in the area. In addition to connecting patients with care and products they might want to buy, the data can also be used in other ways. For instance, insurance companies or potential employers could use a person’s searches to essentially diagnose a possible condition and flag them as a potential risk. Possible treatments aimed at a patient through the sale of their searches may actually contradict their doctor’s care and treatment plan.

The Biden administration should be given credit (albeit half credit) for this rare bit of patient protection. They miss full credit, however, because they are going after the wrong side of the equation. Big Tech’s insatiable appetite for more and more of our most personal data is driving this problem, and they (not hospitals) should pay the price for their attempts to circumvent HIPAA. This does not absolve hospitals from their duty to protect data as much as it recognizes where the money is coming from.

Say you have a telehealth visit with a counselor to address anxiety. You go to the health system website to log into a secure portal for the appointment. Then you log out of the session and (still within the health system’s website) search “bipolar diagnosis,” “psychotropic side effects,” and “hospice care.” You then visit a psychiatric clinic. Until the Biden administration’s 2022 rule, the hospital could track and sell data related to your online activity and physical travels. Your tracking could provide as much (and perhaps much more) information as your medical chart. The Texas suit would undo that restriction.

Patients are right to assume that just because they log out of the password-protected area of the healthcare site, their data should not be sold to the highest bidder as they try to learn about their conditions and arrange care.

That line between HIPAA-protected and “up-for-grabs” data got blurrier during the COVID-19 emergency declaration when restrictions were relaxed to allow more people to access care via telehealth. Telehealth’s success during the pandemic has led many states to keep eased restrictions on virtual care and expand its use. This also creates more opportunities for the legal sale of medical data.

The AHA and Big Tech say that this is simply done to improve the user experience by tailoring offered services specifically aligned to searches. As to why they would sell the ability to track a patient’s physical location, the AHA states this is only to provide information such as “bus schedules or driving directions to and from a community member's location.”

In 2021, Mass General Brigham and the Dana-Farber Cancer Institute agreed to pay a settlement of $18 million to patients who claimed their medical privacy was breached. The plaintiffs alleged that the hospitals simply lacked consent when using third-party tracking tools—including cookies and tracking pixels while patients were on the website. No hacking or breaches occurred of HIPAA-protected information in the patient’s chart. Costco was also sued for selling health data to access customer searches as well as “highly personal medical information” through the company’s pharmacy.

Hospitals, as well as their patients, have much to lose when Big Tech tries to creep on patient health data. States should look to get in front of this protracted federal slugfest and protect patient data.

Matt Dean ([email protected]) is a senior fellow for health care policy outreach with The Heartland Institute.